How to remove decomissioned domain controllers from krb5.conf
Applies to Centrify DirectControl (5.1.2 and up) on all OS platforms.
Question: We decommissioned some domains, but the krb5.conf still showing KDC information for those domain realms. Is there a way to force the krb5.conf to update and remove domains that no longer have trust relation with the machine joined domain?
Answer: By default, Centrify unix/linux agent will update /etc/krb5.conf every 8 hours to store KDC information on all known realms. When autoediting krb5.conf, in the [domain_realm] section, adclient does not remove lines that it does not know about.
A parameter in /etc/centrifydc/centrifydc.conf: adclient.krb5.conf.domain_realm.strict The above paramater controls whether adclient should remove any unknown realm for the joined domain in the [domain_realm] section of krb5.conf. The default value is false. Once this parameter is set to true, ‘adreload’ is required to take effect and the unknown realm will be removed the next time krb5.conf is refreshed.